articles

Faith in Organizational Security Lacking

Though I should probably change my LinkedIn password more frequently, I think I’m in the clear this time. If you haven’t changed yours recently, however, now would be an optimal time, in light of the latest news out of Mountain View. If you recall, back in 2012 LinkedIn experienced a data breach, in which 6.5 million passwords were taken. Nothing extraordinary about that in this day and age and its data breach frequency; but it’s only now, four years later, that the data stolen then is being put up for sale on the dark web. Yes, the total package, the account information of 117 million users, is listed at the price of 5 bitcoin, which is the equivalent of $2,200, by a hacker codenamed “Peace.”

So, why now? “It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread. To my knowledge the database was kept within a small group of Russians,” one of the people involved with the illicit sale told Motherboard.

Every industry and every company is ultimately at risk to endure the same type of data breach as LinkedIn. In shoring up the defenses to ward against such an event, the human component should not be undervalued amid all the software and security tools. Speaking at the Secure360 Twin Cities Conference, security journalist Brian Krebs stressed the importance of well-trained staff equipped to detect and analyze cyber threats. One hindrance to this policy in the past has been a woeful lack of security expert hires by businesses; even where there are these professionals, they often don’t have the administrative power to be effective, said Krebs.

“As bad as things are…they are going to get a lot worse,” he also warned, referring to the rising cost of data breaches as more and more organizations become reliant on technology, which makes them vulnerable. Concurrent with those rising costs for breached companies are plummeting price tags for stolen data on the black market, thanks to the unprecedented quantities available. Credit card information can go for $10 – $15 per card these days.

While Target did appear to get its act together after its own massive breach, which also looks to be serving as a wake up call for other companies, government agencies have not shown the same zeal in the wake of last year’s OPM breach. Recent survey findings in “The 2016 State of Cybersecurity from the Federal Cyber Executive Perspective – An (ISC)²® Report” reveal that over half of federal cybersecurity executives don’t approve of the government’s response to the breach, not believing that it was enough to lead to any improvement in their agency’s security. Also worrying are the 25% of respondents who say their organizations made no changes after the OPM incident, and the 40% who believe their agency lacks an effective response plan to a data breach. Other findings show a lack of clarity about policy, accountability, dissatisfaction with the status quo, and poor departmental cooperation as chief concerns.

Even inundated with all this information, there are still companies out there who are not taking the potential threat of a data breach seriously. I’m pretty sure conducting business as usual and expecting different results snugly fits the definition of insanity.